for me, a vmware machine normally has 2 lan interfaces, one connected with the lan or the management computer and the 2nd one connected with the wan interface for public access.

so security is ensured by having a firewall in front of the "public network card" of vmware and only making it possible to access the managment interface over the "private network card".

but how do i ensure security, if i install vmware esxi 5.0 on normal dedicated root server with multiple public ips, without a firewall in front of the server, without any (for me accessable) routing before the server, without multiple network interfaces?

but on which ip is the port open? is it bound to all public ips? can i bind the management interface to a specific ip? how to bind one ip to the management interface and the rest to one or more virtual machines?

i thought about making a vlan inside esxi and let building up a vpn over a routing vm, and making the managment console only accessable with an ip from the vpn but i tastes a little bit after how to lock myself out.

any hints?

edit:
root server like: server4you.com/root-server
a single server where vmware is installed, "directly" connected to the internet -> directly attackable, not in a well secured lan

edit2:
keep in mind, that people who don't have english as their first language, maybe define things, like "root server" different than you.
please comment on the question and write something about how making the question more clear for you.

maybe this phraseing is better:
how to make a vmware esxi 5.0 server secure, which has only one network card and is directly connected to the internet?

i have no experience with securing esxi connected like that to net, if i run a virtualization like kvm or vserver it is rather easy, just securing the host server with a iptables firewall and also handle the routing there.

i havn't found a good info about my problem googleing for it, its quite a special problem, companies how do virtualization have a whole cluster of vmware servers and often not only one firewall in front of them.

so they simple don't have to secure a single vmware esxi host without an extra firewall and only a single network interface.
others maybe don't virtualize or do not care about security.

Still not sure what you mean by "root server" in this context. In normal context a root server is one of 13 clusters of DNS servers that hold the zones for the TLDs.
–
MDMarraSep 10 '11 at 1:44

1

for my knowledge, a dedicated root server is a single server where you have root access to. the server stands in a datacenter of a company which rent it to a smaller companies or single persons which have no own datacenter. in austria the definition of root server is well known. please be a little bit nicer with your downvotes, give me some time to answer your comments before downvoting.
–
c33sSep 10 '11 at 1:57

change the port 22 to what ever you like. look out for conflicts with other ports!

reboot (or atleast restarting inetd) is needed to take effect.

4) Change routing
Because ESXi 4 has no packet filter we need to change the routing so it doesn't know how to talk to everyone. this is a bit dangerous, because wrong routing could lead to an ESXi-Management only reachable from local console!
You need a static IP or known Network from which you want to administer your ESXi. We add a route to this and delete the default route afterwards.

esxcfg-route -a x.x.x.x/sub y.y.y.y

where "x.x.x.x" is your network or ip. "sub" the subnet mask. and "y.y.y.y" your gateway.

for example we have a ESXi with default gateway 12.34.56.78 and want to add only a single ip 98.76.54.21 the command is

esxcfg-route -a 98.76.54.21/32 12.34.56.78

check if your route is correctly set:

esxcfg-route -l

if so, delete your default route

esxcfg-route -d default y.y.y.y

When all was done correct, you should still reach your ESXi. If not you have to log in localy and change everything back.

thank you for the answer, as soon i have time to setup the vmware i will try your tips. but just for your information, vmware has a firewall which you can control from the gui. see blog.thesysadmins.co.uk/…
–
c33sSep 22 '11 at 21:24

That's for Version 5 of ESXi. As I stated: "on ESXi 5 VMware included a packet filter"
–
MoseSep 27 '11 at 12:32

1

havn't tested it, but from what you have written here it sounds feasible.
–
c33sDec 11 '12 at 10:13